Chapter 4: Protecting Virtual Machines


Applies To: Hyper-V Server 2012, Windows Server 2012

This chapter provides guidance for protecting the files that are used to create and run virtual machines (VMs), such as virtual hard disk (VHDX) files and configuration files. The chapter also includes best practice information and resources designed to help you safeguard the operating systems running within a VM against common threats.

As files on disk, VM resources can be secured using many of the same techniques that are commonly used to store other files in Windows Server environments, including file system security, encryption, and object access auditing.

To secure supported guest operating systems, see the appropriate documentation from the operating system vendors. The list of supported guest operating systems listed in the Hyper-V Overview.

Conservative approach to Permissions

It is recommended that administrators follow a conservative approach for VM settings and provide each virtual machine access to the physical hard disks, virtual hard disks, and removable storage devices that it needs, and no others.

For example, if a virtual machine does not require access to a resource like a CD/DVD drive except when software is being installed remove the virtual drive or select None as the media when it is not in use.

Time Synchronization

Time synchronization can be important in some auditing scenarios, because the system time of virtual machines can drift out of sync with the management operating system for virtual machines that are under constant heavy load. For time synchronization to work, the appropriate Hyper-V Integration Services will need to be installed on the virtual machines. The details of the installation are covered in Install or upgrade integration services. For virtual machines that are configured as domain controllers, disabling time synchronization is recommended to ensure that domain controllers use the default Windows Time service (W32time) domain hierarchy time synchronization.

Decommissioning high-security virtual hard disks

For high-security VMs that contain sensitive information, establish a process for securely deleting the virtual hard disk files after decommissioning. Tools such as SDelete, can help with this process. When dedup is used, high-security virtual hard disk files should be placed in a folder that is marked for exclusion from dedup. Running BitLocker on the virtual hard disk files containing sensitive information from the host operating system can also prevent offline information disclosure attacks on high-security virtual hard disks.

OS updates

For security (and other) considerations, it is recommended that the Operating System running inside the guest VM is up to date with the latest patches installed.

Integration Component updates

It is recommended that the integration components in the guest VM’s operating system are up to date.

Firewall and Antivirus Requirements

It is recommended that Firewalls, antivirus software, and intrusion detection software as appropriate for the environment be installed on the virtual machine of interest’s operating system.

Group Policy Considerations

Like physical servers, virtual machines should be added to the appropriate organizational units (OUs) so that Group Policy settings apply correctly.

Shared Resources

When storage and networking resources are shared across more than one VM’s, it is important to consider isolating critical VMs to different virtual networks or storage locations to avoid the possibility of network/storage starvation.

See also:

Chapter 1: Overview

Chapter 2: Hardening the Hyper-V host

Chapter 3: Roles & Delegation

Chapter 5: Best Practices Checklist